CLAIMS 

What is claimed is: 



1 1. A computer-implemented method of determining enforcement security devices in a 

2 network topology, the method comprising: 

3 identifying a source node and a destination node for traffic that is to be sent through 

4 the network topology; 

5 programmatically identifying nodes in the network topology that are part of a path 

□ 6 closure set for that source node and destination node; and 

fj. 

Q 7 identifying each node in the path closure set that is a security device to result in 

IV 8 creating and storing a list of one or more enforcement security devices. 

12. A method as recited in Claim 1, further comprising implementing a security policy on 

M£ 2 security devices that are identified as nodes in the path closure set. 



13. A method as recited in Claim 1, wherein programmatically identifying nodes in the 

2 network topology that are part of a path closure set includes locating each node in the 

3 network topology, and determining if each located node is part of at least one non-looping 

4 communication path extending between the source node and the destination node. 

14. A method as recited in Claim 1, wherein 
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the step of programmatically identifying nodes in the network topology that are part of a 
path closure set includes locating a plurality of nodes in the network topology, and 
determining if each of the plurality of nodes is part of at least one non-looping 
communication path extending between the source node and the destination node; and 

the step of identifying each node in the path closure set is performed so that a duration for 
identifying all nodes in the path closure set is proportional to a number of links 
between each node in the network topology. 

5. A method as recited in Claim 1, wherein programmatically identifying nodes in the 
network topology that are part of a path closure set includes forward traversing a series of 
nodes sequentially before identifying all non-looping communication paths extending 
between the source node and the destination node, and determining if each node in the 
network topology satisfies at least one criteria for belonging to one of the non-looping 
communication paths identified as extending between the source node and the destination 
node. 
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16. A method as recited in Claim 1, wherein 

2 programmatically identifying nodes in the network topology that are part of a path closure set 

3 includes determining, prior to identifying all of the nodes in the path closure set, if 

4 each node in the network topology satisfies at least one criteria for belonging in the 

5 path closure set, and 

6 determining if each node in the network topology satisfies at least one criteria for belonging 

7 in the path closure set includes traversing amongst adjacent nodes in a sequence until 
13 8 each node in the network topology is checked to determine if that node satisfies the at 
O 9 least one criteria for belonging to the path closure set. 

Hi 7. A method as recited in Claim 6, wherein determining if each node in the network 

jj 8 * 2 topology satisfies at least one criteria for belonging in the path closure set includes at least 

jjj 3 one of (i) identifying that node as being in the path closure set if that node is part of a non- 

j*f 4 looping sequence of adjacent nodes that extend between the source node and the destination 

5 node, and (ii) identifying that node as being in the path closure set if that node is part of a 

6 looping sequence of nodes in which at least one node in the looping sequence is already 

7 designated as being part of the path closure set, and in which the at least one node designated 

8 as being part of the path closure set is not also a loop closure node for that looping sequence. 



-27- 

50325-0626 (Seq. No. 4895) 



1 8. A method as recited in Claim 6, wherein determining if each node in the network 

2 topology satisfies at least one criteria for belonging in the path closure set includes at least 

3 one of (i) identifying that node as being in the path closure set if that node is part of a non- 

4 looping sequence of adjacent nodes that extend between the source node and the destination 

5 node, (ii) identifying that node as being in the path closure set if that node is part of a looping 

6 sequence of nodes in which at least one node in the looping sequence is already designated as 

7 being part of the path closure set, and in which the at least one node designated as being part 

8 of the path closure set is not also a loop closure node for that looping sequence, and (iii) 

3 9 identifying that node as being in the path closure set if that node is part of a looping sequence 

f! 

s j£ 10 of nodes in which at least a first adjacent node to a loop closure node for that looping 



1 1 sequence of nodes is subsequently identified as being part of the path closure set. 



J ** 19. A method as recited in Claim 1, wherein programmatically identifying nodes in the 

ri 

2 2 network topology that are part of a path closure set includes checking each node in the 

3 network topology as being part of the path closure set by forward traversing from the source 

4 node to a sequence of nodes that are adjacent to one another until each node in the network 

5 topology is checked. 

1 10. A method as recited in Claim 1, wherein identifying each node in the path closure set 

2 includes checking each node in the network topology as being part of the path closure set 

3 using a depth-first methodology. 
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1 


11. A method of determining enforcement security devices in a network topology, the 


2 


method comprising the computer-implemented steps of: 


3 


locating a plurality of adjacent nodes in a sequence, the plurality of adjacent nodes 


4 


being between a source node and a destination node in the network topology, 


5 


each located node in the sequence having at least two adjacent nodes, 


6 


including a previous node in the sequence and a next node in the sequence, 


7 


wherein for each located node in the plurality of adjacent nodes, the next node 




is different than the previous node; 


6 9 

•rirs 


for each located node in the sequence: 


III 10 


determining if the located node is the destination node, and if the located node is the 




destination node, then identifying each node in the sequence as being part of a 


t 12 


path closure set between the source node and the destination node; 


H 13 


determining if the located node is a loop closure node, and if the located node is a 


!:! 14 


loop closure node, then determining if one or more nodes in the sequence that 


15 


are part of a loop path defined by the loop closure node are already designated 


16 


as being part of the path closure set, and 


17 


if one or more nodes in the sequence that are part of a loop path defined by the 


18 


loop closure node are already designated as being part of the path 


19 


closure set, then 


20 


designating each node in the loop path as part of the path closure set, 


21 


else 
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22 
23 
24 



designating each node in the loop path as part of the path closure set if at least 
a designated node in the loop path is subsequently determined to be 
part of the path closure set. 



1 12. A method as recited in Claim 11, wherein locating a plurality of adjacent nodes in a 

2 sequence includes locating each node in the network topology using the sequence. 

1 13. A method as recited by Claim 11, further comprising identifying one or more 

p 2 enforcement security devices from nodes in the path closure set. 

|1| 1 14. A method as recited in Claim 11, further comprising identifying one or more 

!«* 2 enforcement security devices from nodes in the path closure set, and implementing a security 

3 policy on the identified one or more enforcement security devices. 



1 15. A method as recited in Claim 11, determining that the located node is a loop closure 

2 node includes determining that the located node was located as a next node for at least two 

3 other nodes in the sequence. 

1 16. A method as recited in Claim 11, wherein designating each node in the loop path as 

2 part of the path closure set if a designated node in the loop path is subsequently determined to 

3 be part of the path closure set includes designating each node in the loop path as part of the 

4 path closure set if one of the at least two nodes in the sequence that are adjacent to the loop 

5 closure node is subsequently determined to be part of the path closure set. 
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17. A method as recited in Claim 11, wherein locating a plurality of adjacent nodes in a 
sequence includes locating the plurality of nodes using a depth-first methodology. 

18. A policy server communicatively coupled to one or more security devices in a 
network to implement a security policy, the policy server comprising: 

a processor configured to: 

identify a source node and a destination node for traffic that is to be sent 

through the network topology; 
automatically identify nodes in the network topology that are part of a path 

closure set for that source node and destination node; and 
identify each node in the path closure set that is a security device. 

19. The policy server of claim 18, wherein the processor is configured to implement a 
security policy using the identified one or more enforcement security devices. 

20. A computer readable medium for determining enforcement security devices in a 
network topology, the computer readable medium carrying instructions for performing the 
steps of: 

identifying a source node and a destination node for traffic that is to be sent through 

the network topology; 
programmatically identifying nodes in the network topology that are part of a path 

closure set for that source node and destination node; and 
identifying each node in the path closure set that is a security device. 
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21. A computer readable medium as recited in Claim 20, further comprising instructions 
for implementing a security policy on security devices that are identified as nodes in the path 
closure set. 

22. A computer readable medium as recited in Claim 20, wherein instructions for 
programmatically identifying nodes in the network topology that are part of a path closure set 
include instructions for locating each node in the network topology, and instructions for 
determining if the located node is part of at least one non-looping communication paths 
extending between the source node and the destination node. 

23. A computer readable medium as recited in Claim 20, wherein 

instructions for programmatically identifying nodes in the network topology that are part of 
a path closure set include instructions for locating a plurality of nodes in the network 
topology, and instructions for determining if the located node is part of at least one 
non-looping communication paths extending between the source node and the 
destination node; and 

instructions for identifying each node in the path closure set is executed so that a duration 
for identifying each node in the path closure set is proportional to a number of links 
between each node in the network topology. 
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1 24. A computer readable medium as recited in Claim 20, wherein instructions for 

2 programmatically identifying nodes in the network topology that are part of a path closure set 

3 include instructions for forward traversing a series of nodes sequentially before identifying all 

4 non-looping communication paths extending between the source node and the destination 

5 node, and instructions for determining if each node in the network topology satisfies at least 

6 one criteria for belonging to one of the non-looping communication paths identified 

7 extending between the source node and the destination node. 



0.1 25. A computer readable medium as recited in Claim 20, wherein 

ill 2 instructions for programmatically identifying nodes in the network topology that are part of a 

H< 3 path closure set include instructions for determining, prior to identifying all of the 

lir 

2 i! 

J** 4 nodes in the path closure set, if each node in the network topology satisfies at least 

22? 5 one criteria for belonging in the path closure set, and 

2 6 instructions for determining if each node in the network topology satisfies at least one criteria 

7 for belonging in the path closure set include instructions for traversing amongst 

8 adjacent nodes in a sequence until each node in the network topology is checked to 

9 determine if that node satisfies the at least one criteria for belonging to the path 
10 closure set. 
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1 26. A computer readable medium as recited in Claim 25, wherein instructions for 

2 determining if each node in the network topology satisfies at least one criteria for belonging 

3 in the path closure set includes instructions for at least one of (i) identifying that node as 

4 being in the path closure set if that node is part of a non-looping sequence of adjacent nodes 

5 that extend between the source node and the destination node, and (ii) identifying that node as 

6 being in the path closure set if that node is part of a looping sequence of nodes in which at 

7 least one node in the looping sequence is already designated as being part of the path closure 

U 

q 8 set, and in which the at least one node designated as being part of the path closure set is not 

O 9 also a loop closure node for that looping sequence. 

H 1 27. A computer readable medium as recited in Claim 25, wherein instructions for 

k* 2 determining if each node in the network topology satisfies at least one criteria for belonging 

W 3 in the path closure set includes instructions for at least one of (i) identifying that node as 

W 4 being in the path closure set if that node is part of a non-looping sequence of adjacent nodes 

5 that extend between the source node and the destination node, and (ii) identifying that node as 

6 being in the path closure set if that node is part of a looping sequence of nodes in which at 

7 least one node in the looping sequence is already designated as being part of the path closure 

8 set, and in which the at least one node designated as being part of the path closure set is not 

9 also a loop closure node for that looping sequence (iii) identifying that node as being in the 

10 path closure set if that node is part of a looping sequence of nodes in which at least a first 

11 adjacent node to a loop closure node for that looping sequence of nodes is subsequently 

12 identified as being part of the path closure set. 
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1 28. A computer readable medium as recited in Claim 20, wherein instructions for 

2 programmatically identifying nodes in the network topology that are part of a path closure set 

3 includes instructions for checking each node in the network topology as being part of the path 

4 closure set by forward traversing from the source node to a series of nodes that are 

5 sequentially adjacent to one another until each node in the network topology is checked. 

1 29. A computer readable medium as recited in Claim 20, wherein instructions for 



3^ 2 identifying each node in the path closure set includes instructions for checking each node in 

Q 

Q 3 the network topology as being part of the path closure set using a depth-first methodology. 



m 
s# - 

a*? 

jU 1 30. A computer system to determine enforcement security devices in a network topology: 

|<* 2 a processor configured to: 

W. 3 means for identifying a source node and a destination node for traffic that is to 

|J 4 be sent through the network topology; 

5 means for automatically identifying nodes in the network topology that are 

6 part of a path closure set for that source node and destination node; and 

7 means for identifying each node in the path closure set that is a security 

8 device. 
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